96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d

General

Target

96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe
Size

12KB
MD5

89b1b2d257aff854463e39c0d28153c0
SHA1

5831ba6d5404ad10e80c804dce52d3ba85604389
SHA256

96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d
SHA512

4d6b446d5ed2a0d9c0f99c34f3f2290a73886ba73ea4cdd1945af1f2a8f08bf7051b15f4bd224b520ac76262eabd2211ff25c718cb99cc47e46c17650628dfc5
SSDEEP

384:jL7li/2zuq2DcEQvdhcJKLTp/NK9xaEUc:nmM/Q9cxc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2120	tmp190D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2120	tmp190D.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2604	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	28
PID 2080 wrote to memory of 2604	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	28
PID 2080 wrote to memory of 2604	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	28
PID 2080 wrote to memory of 2604	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	28
PID 2604 wrote to memory of 2652	2604	vbc.exe	30
PID 2604 wrote to memory of 2652	2604	vbc.exe	30
PID 2604 wrote to memory of 2652	2604	vbc.exe	30
PID 2604 wrote to memory of 2652	2604	vbc.exe	30
PID 2080 wrote to memory of 2120	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	31
PID 2080 wrote to memory of 2120	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	31
PID 2080 wrote to memory of 2120	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	31
PID 2080 wrote to memory of 2120	2080	96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe	31

C:\Users\Admin\AppData\Local\Temp\96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe
"C:\Users\Admin\AppData\Local\Temp\96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xltdtps3\xltdtps3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2ECFE12657554F6D80A5E34094E34373.TMP"
    3⤵
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4f6005f46c010c0dacf90526b36dc4ac

SHA1
c44f23af36385257ec32dc9d644f30b5c131e8e2

SHA256
f5e901aa0925f8700734d5ef54bcc629ab44eec0328c8cec075a9717aa794608

SHA512
0d3220e540f9f0f548f48c95e4c9f70fbb912f92edf998caa53ca6c5551f4b183681a37f0f86a24932d9c7052f70fab779fc0741f70b0b608aae7b707353ab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A35.tmp

Filesize
1KB

MD5
9dd7bc7dbcfbd43868810ae92c6752a0

SHA1
d3ee616f273f856518057b9d7d973b69b7eb733b

SHA256
7b5dae564c8d66c5207fc1f57c587efab00797d0345f6ed95085456159eb5290

SHA512
dd59b3f43ec276b8421ed4d4c1941d42aa2fb79c684264b4b8969c0f71028398b7eecdbb03ea5985f698b6a63d6e165ee85063f160b17bf752f74edb39ea30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.exe

Filesize
12KB

MD5
ad8000594c6c5e83438a5ce8527bfd00

SHA1
08e426f687bd6dbdaa4debd986000adb2f31de2f

SHA256
f2ed8c37f2924778859118ba47dd3701217b74a18946b590d4fefae887c8ed00

SHA512
056dde496ea8f69dba56fb677bf34883efc2c1776b42f5c61ec9e680e590f2c689f382ac66e5cb9827f5a11b10c574d8ba25bf45ce0064715922b61d26d45eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2ECFE12657554F6D80A5E34094E34373.TMP

Filesize
1KB

MD5
9488c0b5c91f74a04b9ee31fadaad64d

SHA1
6749258b68b7beae18438a66b6569a6882bc1f1a

SHA256
9d2182e373ac03e3f995647c9135f437fcf29a5ce58d628be9d17ce2e65d8162

SHA512
9e74c28f4c85004aef65c11b98635ce302fd9b812425104a24b0cc4d6e8dde7088fe78bc9d4e7d414cc2c2ebbf949905463184521c1aa77d476e1016887e79c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xltdtps3\xltdtps3.0.vb

Filesize
2KB

MD5
e5d36ac005935c318d49215725061c2b

SHA1
bc80673d002c681d86f204ff24f3d0c4f9857fe5

SHA256
fb16d4af38a12e47a620192d0331afa6547df3ab6a45155b2fe3f2e98a2129d3

SHA512
b1bf1a21fa65d3b9bc2e2c67cdaef48074898bd051e970acbb68e504bd14c0044b24a3b414c76bf05d9698ae58324c46cc5a2224be1d30c0925dfb94eb5b0a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xltdtps3\xltdtps3.cmdline

Filesize
273B

MD5
389b6d091c4f1fcfeb68b1d2a38ac22d

SHA1
0627b09dfafaf37677faec7b26ad68f6e1235584

SHA256
c143a3101b3cc4799bf3f28de9b906a85294d5a17aa56a49082b226a455aef6f

SHA512
b6e705703452c00894995a99a012fd261be7633a293b16a7e2d9e1c39930c1c029a05fec84f756bf5fef5ee352ed806d18891e0df609cd0a66b20c29c5a025c7

Download Submit
memory/2080-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/2080-7-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2080-24-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2120-23-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing